subject:"Re\: \[Freeipa\-users\] Problem with Kerberised NFS mount"

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce

On Mon, 2013-07-15 at 16:15 +, Ondrej Valousek wrote:
> Ok. I agree that the problem needs to be fixed in kernel - lets hope
> the patches will find their way into RHEL 7 ;-).

I am not aware of any kernel issue.

> Does it mean that since Fedora 19 the default location of krb5.keytab
> is /var/lib/gssproxy?

no the default keytab is always /etc/krb5.keytab
> 
Simo.
> 
> 
> Odesláno ze Samsung Mobile
> 
> 
> 
>  Původní zpráva 
> Od: Simo Sorce  
> Datum: 
> Komu: "Adamson, Andy"  
> Kopie: and...@wasielewski.co.uk,freeipa-users@redhat.com 
> Předmět: Re: [Freeipa-users] Problem with Kerberised NFS mount 
> 
> 
> 
> On Fri, 2013-07-12 at 19:16 +, Adamson, Andy wrote:
> > On Jul 12, 2013, at 3:02 PM, Rob Crittenden 
> >  wrote:
> > 
> > > Chuck Lever wrote:
> > >> 
> > >> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek
>  > >> <mailto:ovalou...@vendavo.com>> wrote:
> > >> 
> > >>> Just back to the Kerberized NFS. Any solution to RH bugzilla
> #786463
> > >>> on the horizon yet?
> > >>> Expiring tickets will render the whole concept unusable
> otherwise.
> > >>> 
> > >>> Anyone?
> > >> 
> > >> Ask on linux-...@vger.kernel.org
> <mailto:linux-...@vger.kernel.org>.  I
> > >> know upstream is working on this problem.
> > > 
> > > https://fedorahosted.org/gss-proxy/ will solve the problem.
> > 
> > Only for renewable tickets that gss-proxy renews. If a use has a
> non-renewable ticket, then the problem still exists.  I'm working on a
> set of GSS expiry patches and I'll make sure this problem is solved in
> the kernel.
> 
> Just to avoid confusion.
> 
> GSS-Proxy doesn't really handle renews at this stage (except as a a
> possible side effect of GSSAPI doing it under the hood on its own), it
> only handles acquiring new credentials using keytabs or using existing
> valid credentials from a standard ccache pre-populated by the user.
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Ondrej Valousek

Ok. I agree that the problem needs to be fixed in kernel - lets hope the 
patches will find their way into RHEL 7 ;-).
Does it mean that since Fedora 19 the default location of krb5.keytab is 
/var/lib/gssproxy?
O.


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Simo Sorce 
Datum:
Komu: "Adamson, Andy" 
Kopie: and...@wasielewski.co.uk,freeipa-users@redhat.com
Předmět: Re: [Freeipa-users] Problem with Kerberised NFS mount


On Fri, 2013-07-12 at 19:16 +, Adamson, Andy wrote:
> On Jul 12, 2013, at 3:02 PM, Rob Crittenden 
>  wrote:
>
> > Chuck Lever wrote:
> >>
> >> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek  >> <mailto:ovalou...@vendavo.com>> wrote:
> >>
> >>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
> >>> on the horizon yet?
> >>> Expiring tickets will render the whole concept unusable otherwise.
> >>>
> >>> Anyone?
> >>
> >> Ask on linux-...@vger.kernel.org <mailto:linux-...@vger.kernel.org>.  I
> >> know upstream is working on this problem.
> >
> > https://fedorahosted.org/gss-proxy/ will solve the problem.
>
> Only for renewable tickets that gss-proxy renews. If a use has a 
> non-renewable ticket, then the problem still exists.  I'm working on a set of 
> GSS expiry patches and I'll make sure this problem is solved in the kernel.

Just to avoid confusion.

GSS-Proxy doesn't really handle renews at this stage (except as a a
possible side effect of GSSAPI doing it under the hood on its own), it
only handles acquiring new credentials using keytabs or using existing
valid credentials from a standard ccache pre-populated by the user.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Dean Hunter

On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote:

> On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> > On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > > F19 has GSS proxy. I encourage you to use it. I know it was tried
> > > and worked as several bugs have been addressed.
> > > Gunther CCed will be back from PTO next week and should be able to
> > > help.  
> > 
> > Is the GSS proxy configured by ipa-client-automount?
> 
> No, gssproxy is quite new and we do not configure it by default at this
> stage.
> It has been tested only with NFS (both server and client) on Fedora 19.
> 
> Simo.
> 

Where might I find instructions on how to configure the GSS proxy for
use with IPA and automount?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce

On Mon, 2013-07-15 at 08:50 -0500, Dean Hunter wrote:
> On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote: 
> > On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> > > On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > > > F19 has GSS proxy. I encourage you to use it. I know it was tried
> > > > and worked as several bugs have been addressed.
> > > > Gunther CCed will be back from PTO next week and should be able to
> > > > help.  
> > > 
> > > Is the GSS proxy configured by ipa-client-automount?
> > 
> > No, gssproxy is quite new and we do not configure it by default at this
> > stage.
> > It has been tested only with NFS (both server and client) on Fedora 19.
> > 
> > Simo.
> > 
> Where might I find instructions on how to configure the GSS proxy for
> use with IPA and automount?
> 
The default configuration of GSS-Proxy should be sufficient, just
install it and enable it to start on the client.

You can the drop keytabs in /var/lib/gssproxy/clients, look at the
default configuration to see how the scheme works.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce

On Fri, 2013-07-12 at 19:16 +, Adamson, Andy wrote:
> On Jul 12, 2013, at 3:02 PM, Rob Crittenden 
>  wrote:
> 
> > Chuck Lever wrote:
> >> 
> >> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek  >> > wrote:
> >> 
> >>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
> >>> on the horizon yet?
> >>> Expiring tickets will render the whole concept unusable otherwise.
> >>> 
> >>> Anyone?
> >> 
> >> Ask on linux-...@vger.kernel.org .  I
> >> know upstream is working on this problem.
> > 
> > https://fedorahosted.org/gss-proxy/ will solve the problem.
> 
> Only for renewable tickets that gss-proxy renews. If a use has a 
> non-renewable ticket, then the problem still exists.  I'm working on a set of 
> GSS expiry patches and I'll make sure this problem is solved in the kernel.

Just to avoid confusion.

GSS-Proxy doesn't really handle renews at this stage (except as a a
possible side effect of GSSAPI doing it under the hood on its own), it
only handles acquiring new credentials using keytabs or using existing
valid credentials from a standard ccache pre-populated by the user.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce

On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > F19 has GSS proxy. I encourage you to use it. I know it was tried
> > and worked as several bugs have been addressed.
> > Gunther CCed will be back from PTO next week and should be able to
> > help.  
> 
> Is the GSS proxy configured by ipa-client-automount?

No, gssproxy is quite new and we do not configure it by default at this
stage.
It has been tested only with NFS (both server and client) on Fedora 19.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Adamson, Andy


On Jul 12, 2013, at 3:02 PM, Rob Crittenden 
 wrote:

> Chuck Lever wrote:
>> 
>> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek > > wrote:
>> 
>>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
>>> on the horizon yet?
>>> Expiring tickets will render the whole concept unusable otherwise.
>>> 
>>> Anyone?
>> 
>> Ask on linux-...@vger.kernel.org .  I
>> know upstream is working on this problem.
> 
> https://fedorahosted.org/gss-proxy/ will solve the problem.

Only for renewable tickets that gss-proxy renews. If a use has a non-renewable 
ticket, then the problem still exists.  I'm working on a set of GSS expiry 
patches and I'll make sure this problem is solved in the kernel.

-->Andy

> 
> rob
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Dean Hunter

On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:

> F19 has GSS proxy. I encourage you to use it. I know it was tried and
> worked as several bugs have been addressed.
> Gunther CCed will be back from PTO next week and should be able to
> help.  


Is the GSS proxy configured by ipa-client-automount?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Dmitri Pal

On 07/12/2013 03:22 PM, Dean Hunter wrote:
> On Fri, 2013-07-12 at 18:55 +, Adamson, Andy wrote:
>>
>> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek > <mailto:ovalou...@vendavo.com>> 
>>  wrote: 
>>
>>> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
>>> on the horizon yet? 
>>> Expiring tickets will render the whole concept unusable otherwise. 
>>
>>
>> Hi 
>>
>>
>> I'm looking into Kerberized NFS client issues and bugs. I'll be sure
>> to add this to my todo list.  Do you know if anyone has tried with
>> the latest upstream kernel? 
>>
>
> I have a Kerberized NFS auto mount working very nicely on Fedora 18,
> FreeIPA 3.1.5-1 and company.  But I am having problems getting the
> same configuration to work on Fedora 19, FreeIPA 3.2.1-1 and company. 
> I have been working to refine the problem definition to more than it
> does not work.

F19 has GSS proxy. I encourage you to use it. I know it was tried and
worked as several bugs have been addressed.
Gunther CCed will be back from PTO next week and should be able to help. 

>
>> -->Andy 
>>
>>>
>>>
>>> Anyone? 
>>> O. 
>>>
>>>
>>>
>>>
>>> Odesláno ze Samsung Mobile 
>>>
>>>
>>>
>>> ---- Pu*vodní zpráva ----
>>> Od: Ondrej Valousek >> <mailto:ovalou...@vendavo.com>> 
>>> Datum: 
>>> Komu: and...@wasielewski.co.uk
>>> <mailto:and...@wasielewski.co.uk>,freeipa-users@redhat.com
>>> <mailto:freeipa-users@redhat.com> 
>>> Pr(edme(t: RE: [Freeipa-users] Problem with Kerberised NFS mount 
>>>
>>>
>>> Hard to say. 
>>> In general, when dealing w/ nfs & kerberos, I would advise to: 
>>> ? Upgrade to the latest fedora 
>>> ? Make sure idmapper is configured and working fine 
>>> ? Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
>>> handle aes keys). 
>>> Ondrej 
>>>
>>>
>>>
>>>
>>> Odesláno ze Samsung Mobile 
>>>
>>>
>>>
>>>  Pu*vodní zpráva 
>>> Od: Andrew Wasielewski >> <mailto:and...@wasielewski.co.uk>> 
>>> Datum: 
>>> Komu: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> 
>>> Pr(edme(t: [Freeipa-users] Problem with Kerberised NFS mount 
>>>
>>>
>>> Hello everyone, 
>>>  
>>>
>>> I am setting up FreeIPA for a small home network. However I have a
>>> problem mounting NFS shares with Kerberos enables - see syslog
>>> output below. 
>>>  
>>>
>>> My NFS, KDC and FreeIPA servers are all on the same host. I am
>>> running the NFS mount directly on the server, which has local
>>> firewall disabled - I get the same outcome on a remote client, but
>>> this surely eliminates any network issues. 
>>>  
>>>
>>> These are my NFS exports, which are visible both locally and
>>> remotely with "showmount -e":- 
>>>  
>>>
>>> [root@server ~]# exportfs -av 
>>> exporting gss/krb5:/home 
>>> exporting gss/krb5i:/home 
>>> exporting gss/krb5p:/home 
>>>  
>>>
>>> The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk
>>> <http://server.wasielewski.co.uk>:/home /mnt/test_mnt" hangs
>>> indefinitely. However without the Kerberos export options the NFS
>>> share can be mounted both locally and remotely without problem. 
>>>  
>>>
>>> I read in a post that the "serializing key with enctype 18 and size
>>> 32" entry in syslog means I am trying to use an unsupported key with
>>> AES256 encryption (I can find very little about enctype numbers
>>> though); however I appear to have an AES256 service principal: 
>>>  
>>>
>>> [root@server etc]# ktutil 
>>> ktutil: rkt /etc/krb5.keytab 
>>> ktutil: list -e 
>>> slot KVNO Principal 
>>>  
>>> - 
>>> 1 2 host/server.wasielewski.co...@wasielewski.co.uk
>>> <mailto:host/server.wasielewski.co...@wasielewski.co.uk>
>>> (aes256-cts-hmac-sha1-96) 
>>> 2 2 host/server.wasielewski.co...@wasielewski.co.uk
>>> <mailto:host/server.wasielewski.co...@wasielewski.co.uk>
>>> (aes128-cts-hmac-sha1-96) 
>>> 3 2 host/server.wasielews

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Dean Hunter

On Fri, 2013-07-12 at 18:55 +, Adamson, Andy wrote:

> 
> 
> On Jul 12, 2013, at 2:43 PM, Ondrej Valousek 
>  wrote:
> 
> 
> 
> > Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
> > on the horizon yet?
> > Expiring tickets will render the whole concept unusable otherwise.
> 
> 
> 
> Hi
> 
> 
> I'm looking into Kerberized NFS client issues and bugs. I'll be sure
> to add this to my todo list.  Do you know if anyone has tried with the
> latest upstream kernel?
> 


I have a Kerberized NFS auto mount working very nicely on Fedora 18,
FreeIPA 3.1.5-1 and company.  But I am having problems getting the same
configuration to work on Fedora 19, FreeIPA 3.2.1-1 and company.  I have
been working to refine the problem definition to more than it does not
work.

> -->Andy
> 
> 
> > 
> > 
> > Anyone?
> > O.
> > 
> > 
> > 
> > 
> > Odesláno ze Samsung Mobile
> > 
> > 
> > 
> > 
> > ---- Původní zpráva 
> > Od: Ondrej Valousek  
> > Datum: 
> > Komu: and...@wasielewski.co.uk,freeipa-users@redhat.com 
> > Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount 
> > 
> > 
> > 
> > Hard to say.
> > In general, when dealing w/ nfs & kerberos, I would advise to:
> > ● Upgrade to the latest fedora
> > ● Make sure idmapper is configured and working fine
> > ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
> > handle aes keys).
> > Ondrej
> > 
> > 
> > 
> > 
> > Odesláno ze Samsung Mobile
> > 
> > 
> > 
> > 
> >  Původní zpráva 
> > Od: Andrew Wasielewski  
> > Datum: 
> > Komu: freeipa-users@redhat.com 
> > Předmět: [Freeipa-users] Problem with Kerberised NFS mount 
> > 
> > 
> > 
> > Hello everyone,
> > 
> >  
> > 
> > 
> > I am setting up FreeIPA for a small home network. However I have a
> > problem mounting NFS shares with Kerberos enables - see syslog
> > output below.
> > 
> >  
> > 
> > 
> > My NFS, KDC and FreeIPA servers are all on the same host. I am
> > running the NFS mount directly on the server, which has local
> > firewall disabled - I get the same outcome on a remote client, but
> > this surely eliminates any network issues.
> > 
> >  
> > 
> > 
> > These are my NFS exports, which are visible both locally and
> > remotely with "showmount -e":-
> > 
> >  
> > 
> > 
> > [root@server ~]# exportfs -av
> > exporting gss/krb5:/home
> > exporting gss/krb5i:/home
> > exporting gss/krb5p:/home
> > 
> >  
> > 
> > 
> > The command "mount -t nfs4 -o sec=krb5
> > server.wasielewski.co.uk:/home /mnt/test_mnt" hangs indefinitely.
> > However without the Kerberos export options the NFS share can be
> > mounted both locally and remotely without problem.
> > 
> >  
> > 
> > 
> > I read in a post that the "serializing key with enctype 18 and size
> > 32" entry in syslog means I am trying to use an unsupported key with
> > AES256 encryption (I can find very little about enctype numbers
> > though); however I appear to have an AES256 service principal:
> > 
> >  
> > 
> > 
> > [root@server etc]# ktutil
> > ktutil: rkt /etc/krb5.keytab
> > ktutil: list -e
> > slot KVNO Principal
> >  
> > -
> > 1 2 host/server.wasielewski.co...@wasielewski.co.uk
> > (aes256-cts-hmac-sha1-96) 
> > 2 2 host/server.wasielewski.co...@wasielewski.co.uk
> > (aes128-cts-hmac-sha1-96) 
> > 3 2 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1) 
> > 4 2 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac) 
> > 5 5 nfs/server.wasielewski.co...@wasielewski.co.uk
> > (aes256-cts-hmac-sha1-96) 
> > 
> >  
> > 
> > 
> > My versions are:
> > Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
> > FreeIPA 2.2.2
> > krb5 1.10.2
> > nfs-utils 1.2.6
> > I have read of this issue being fixed by downgrading nfs-utils to
> > 1.2.5; however that is not possible due to conflict with systemd.
> > Everything else appears to work OK e.g. domain login, automap etc.
> > When I try to mount the Kerberised NFS share, *nothing* appears
> > in /var/log/krb5kdc.log
> > 
> >  
> > 
> > 
> > Here is my syslog output when attempt the moun

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Ondrej Valousek

I have only tried with latest centos 6 - i.e. pretty old :-(. But I doubt there 
is any change in recent kernels.

Hope Simo or Steve Dickson could perhaps shed some light...

But agree, this is not the best list to discuss this.
O.


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: "Adamson, Andy" 
Datum:
Komu: Ondrej Valousek 
Kopie: and...@wasielewski.co.uk,freeipa-users@redhat.com
Předmět: Re: [Freeipa-users] Problem with Kerberised NFS mount



On Jul 12, 2013, at 2:43 PM, Ondrej Valousek 
mailto:ovalou...@vendavo.com>>
 wrote:

Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the 
horizon yet?
Expiring tickets will render the whole concept unusable otherwise.

Hi

I'm looking into Kerberized NFS client issues and bugs. I'll be sure to add 
this to my todo list.  Do you know if anyone has tried with the latest upstream 
kernel?

-->Andy


Anyone?
O.


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Ondrej Valousek mailto:ovalou...@vendavo.com>>
Datum:
Komu: 
and...@wasielewski.co.uk<mailto:and...@wasielewski.co.uk>,freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount


Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
● Upgrade to the latest fedora
● Make sure idmapper is configured and working fine
● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes 
keys).
Ondrej


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Andrew Wasielewski 
mailto:and...@wasielewski.co.uk>>
Datum:
Komu: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Předmět: [Freeipa-users] Problem with Kerberised NFS mount


Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem 
mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS 
mount directly on the server, which has local firewall disabled - I get the 
same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with 
"showmount -e":-



[root@server ~]# exportfs -av
exporting gss/krb5:/home
exporting gss/krb5i:/home
exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 
server.wasielewski.co.uk<http://server.wasielewski.co.uk>:/home /mnt/test_mnt" 
hangs indefinitely. However without the Kerberos export options the NFS share 
can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry 
in syslog means I am trying to use an unsupported key with AES256 encryption (I 
can find very little about enctype numbers though); however I appear to have an 
AES256 service principal:



[root@server etc]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list -e
slot KVNO Principal
  -
1 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (aes256-cts-hmac-sha1-96)
2 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (aes128-cts-hmac-sha1-96)
3 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (des3-cbc-sha1)
4 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (arcfour-hmac)
5 5 
nfs/server.wasielewski.co...@wasielewski.co.uk<mailto:nfs/server.wasielewski.co...@wasielewski.co.uk>
 (aes256-cts-hmac-sha1-96)



My versions are:
Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
FreeIPA 2.2.2
krb5 1.10.2
nfs-utils 1.2.6
I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; 
however that is not possible due to conflict with systemd. Everything else 
appears to work OK e.g. domain login, automap etc. When I try to mount the 
Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 
0x7fffe59b94f0 data 0x7fffe59b93c0
Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 
enctypes=18,17,16,23,3,1,2 '
Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is ''
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
'server.wasielewski.co.uk<http://server.wasielewski.co.uk>' is 
'server.wasielewski.co.uk<http://server.wasielewski.co.uk>'

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Rob Crittenden


Chuck Lever wrote:


On Jul 12, 2013, at 2:43 PM, Ondrej Valousek mailto:ovalou...@vendavo.com>> wrote:


Just back to the Kerberized NFS. Any solution to RH bugzilla #786463
on the horizon yet?
Expiring tickets will render the whole concept unusable otherwise.

Anyone?


Ask on linux-...@vger.kernel.org .  I
know upstream is working on this problem.


https://fedorahosted.org/gss-proxy/ will solve the problem.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Adamson, Andy


On Jul 12, 2013, at 2:43 PM, Ondrej Valousek 
mailto:ovalou...@vendavo.com>>
 wrote:

Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the 
horizon yet?
Expiring tickets will render the whole concept unusable otherwise.

Hi

I'm looking into Kerberized NFS client issues and bugs. I'll be sure to add 
this to my todo list.  Do you know if anyone has tried with the latest upstream 
kernel?

-->Andy


Anyone?
O.


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Ondrej Valousek mailto:ovalou...@vendavo.com>>
Datum:
Komu: 
and...@wasielewski.co.uk<mailto:and...@wasielewski.co.uk>,freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount


Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
● Upgrade to the latest fedora
● Make sure idmapper is configured and working fine
● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes 
keys).
Ondrej


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Andrew Wasielewski 
mailto:and...@wasielewski.co.uk>>
Datum:
Komu: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Předmět: [Freeipa-users] Problem with Kerberised NFS mount


Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem 
mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS 
mount directly on the server, which has local firewall disabled - I get the 
same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with 
"showmount -e":-



[root@server ~]# exportfs -av
exporting gss/krb5:/home
exporting gss/krb5i:/home
exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 
server.wasielewski.co.uk<http://server.wasielewski.co.uk>:/home /mnt/test_mnt" 
hangs indefinitely. However without the Kerberos export options the NFS share 
can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry 
in syslog means I am trying to use an unsupported key with AES256 encryption (I 
can find very little about enctype numbers though); however I appear to have an 
AES256 service principal:



[root@server etc]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list -e
slot KVNO Principal
  -
1 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (aes256-cts-hmac-sha1-96)
2 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (aes128-cts-hmac-sha1-96)
3 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (des3-cbc-sha1)
4 2 
host/server.wasielewski.co...@wasielewski.co.uk<mailto:host/server.wasielewski.co...@wasielewski.co.uk>
 (arcfour-hmac)
5 5 
nfs/server.wasielewski.co...@wasielewski.co.uk<mailto:nfs/server.wasielewski.co...@wasielewski.co.uk>
 (aes256-cts-hmac-sha1-96)



My versions are:
Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
FreeIPA 2.2.2
krb5 1.10.2
nfs-utils 1.2.6
I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; 
however that is not possible due to conflict with systemd. Everything else 
appears to work OK e.g. domain login, automap etc. When I try to mount the 
Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 
0x7fffe59b94f0 data 0x7fffe59b93c0
Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 
enctypes=18,17,16,23,3,1,2 '
Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)
Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is ''
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
'server.wasielewski.co.uk<http://server.wasielewski.co.uk>' is 
'server.wasielewski.co.uk<http://server.wasielewski.co.uk>'
Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
'server.wasielewski.co.uk<http://server.wasielewski.co.uk>' is 
'server.wasielewski.co.uk<http://server.wasielewski.co.uk>'
Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for 
SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK<mailto:SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK>
 while getting keytab entry for 
'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK<mailto:S

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Chuck Lever


On Jul 12, 2013, at 2:43 PM, Ondrej Valousek  wrote:

> Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the 
> horizon yet?
> Expiring tickets will render the whole concept unusable otherwise.
> 
> Anyone?

Ask on linux-...@vger.kernel.org.  I know upstream is working on this problem.

> O.
> 
> 
> Odesláno ze Samsung Mobile
> 
> 
> 
>  Původní zpráva 
> Od: Ondrej Valousek  
> Datum: 
> Komu: and...@wasielewski.co.uk,freeipa-users@redhat.com 
> Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount 
> 
> 
> Hard to say.
> In general, when dealing w/ nfs & kerberos, I would advise to:
> ● Upgrade to the latest fedora
> ● Make sure idmapper is configured and working fine
> ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes 
> keys).
> Ondrej
> 
> 
> Odesláno ze Samsung Mobile
> 
> 
> 
>  Původní zpráva 
> Od: Andrew Wasielewski  
> Datum: 
> Komu: freeipa-users@redhat.com 
> Předmět: [Freeipa-users] Problem with Kerberised NFS mount 
> 
> 
> 
> Hello everyone,
> 
>  
> 
> I am setting up FreeIPA for a small home network. However I have a problem 
> mounting NFS shares with Kerberos enables - see syslog output below.
> 
>  
> 
> My NFS, KDC and FreeIPA servers are all on the same host. I am running the 
> NFS mount directly on the server, which has local firewall disabled - I get 
> the same outcome on a remote client, but this surely eliminates any network 
> issues.
> 
>  
> 
> These are my NFS exports, which are visible both locally and remotely with 
> "showmount -e":-
> 
>  
> 
> [root@server ~]# exportfs -av
> 
> exporting gss/krb5:/home
> 
> exporting gss/krb5i:/home
> 
> exporting gss/krb5p:/home
> 
>  
> 
> The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home 
> /mnt/test_mnt" hangs indefinitely. However without the Kerberos export 
> options the NFS share can be mounted both locally and remotely without 
> problem.
> 
>  
> 
> I read in a post that the "serializing key with enctype 18 and size 32" entry 
> in syslog means I am trying to use an unsupported key with AES256 encryption 
> (I can find very little about enctype numbers though); however I appear to 
> have an AES256 service principal:
> 
>  
> 
> [root@server etc]# ktutil
> 
> ktutil: rkt /etc/krb5.keytab
> 
> ktutil: list -e
> 
> slot KVNO Principal
> 
>   
> -
> 
> 1 2 host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) 
> 
> 2 2 host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96) 
> 
> 3 2 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1) 
> 
> 4 2 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac) 
> 
> 5 5 nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) 
> 
>  
> 
> My versions are:
> 
> Fedora 17 (kernel 3.8.13-100.fc17.x86_64)
> 
> FreeIPA 2.2.2
> 
> krb5 1.10.2
> 
> nfs-utils 1.2.6
> 
> I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; 
> however that is not possible due to conflict with systemd. Everything else 
> appears to work OK e.g. domain login, automap etc. When I try to mount the 
> Kerberised NFS share, *nothing* appears
>  in /var/log/krb5kdc.log
> 
>  
> 
> Here is my syslog output when attempt the mount:
> 
>  
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 
> 0x7fffe59b94f0 data 0x7fffe59b93c0
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall 
> (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 
> enctypes=18,17,16,23,3,1,2 '
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall 
> (/var/lib/nfs/rpc_pipefs/nfs/clnt48)
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is 
> ''
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
> 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
> 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for 
> SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 
> 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'
> 
> Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for 
> root/server.was

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Ondrej Valousek

Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the 
horizon yet?
Expiring tickets will render the whole concept unusable otherwise.

Anyone?
O.


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Ondrej Valousek 
Datum:
Komu: and...@wasielewski.co.uk,freeipa-users@redhat.com
Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount


Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
● Upgrade to the latest fedora
● Make sure idmapper is configured and working fine
● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes 
keys).
Ondrej


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Andrew Wasielewski 
Datum:
Komu: freeipa-users@redhat.com
Předmět: [Freeipa-users] Problem with Kerberised NFS mount



Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem 
mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS 
mount directly on the server, which has local firewall disabled - I get the 
same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with 
"showmount -e":-



[root@server ~]# exportfs -av

exporting gss/krb5:/home

exporting gss/krb5i:/home

exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home 
/mnt/test_mnt" hangs indefinitely. However without the Kerberos export options 
the NFS share can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry 
in syslog means I am trying to use an unsupported key with AES256 encryption (I 
can find very little about enctype numbers though); however I appear to have an 
AES256 service principal:



[root@server etc]# ktutil

ktutil: rkt /etc/krb5.keytab

ktutil: list -e

slot KVNO Principal

  -

1 2 host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96)

2 2 host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96)

3 2 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1)

4 2 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac)

5 5 nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96)



My versions are:

Fedora 17 (kernel 3.8.13-100.fc17.x86_64)

FreeIPA 2.2.2

krb5 1.10.2

nfs-utils 1.2.6

I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; 
however that is not possible due to conflict with systemd. Everything else 
appears to work OK e.g. domain login, automap etc. When I try to mount the 
Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 
0x7fffe59b94f0 data 0x7fffe59b93c0

Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 
enctypes=18,17,16,23,3,1,2 '

Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is ''

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for 
SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 
'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for 
root/server.wasielewski.co...@wasielewski.co.uk while getting keytab entry for 
'root/server.wasielewski.co...@wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 
'nfs/server.wasielewski.co...@wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: using 
FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine 
creds

Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK

Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 
(save_uid 0)

Jul 12 01:13:10 server rpc.gssd[31628]: creating

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Simo Sorce

On Fri, 2013-07-12 at 14:51 +, Ondrej Valousek wrote:
> Hard to say.
> In general, when dealing w/ nfs & kerberos, I would advise to:
> ● Upgrade to the latest fedora
> ● Make sure idmapper is configured and working fine
> ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
> handle aes keys).

3des makes little sense, it is the least used enctype.

If you want to be backwards compatible with old kernels you'll have to
stick with DES (not 3DES) which is utterly insecure these days.
Otherwise go straight to AES and don't look back.

Support for AES is available since quite a few fedora release and RHEL6

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Ondrej Valousek

Hard to say.
In general, when dealing w/ nfs & kerberos, I would advise to:
● Upgrade to the latest fedora
● Make sure idmapper is configured and working fine
● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes 
keys).
Ondrej


Odesláno ze Samsung Mobile



 Původní zpráva 
Od: Andrew Wasielewski 
Datum:
Komu: freeipa-users@redhat.com
Předmět: [Freeipa-users] Problem with Kerberised NFS mount



Hello everyone,



I am setting up FreeIPA for a small home network. However I have a problem 
mounting NFS shares with Kerberos enables - see syslog output below.



My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS 
mount directly on the server, which has local firewall disabled - I get the 
same outcome on a remote client, but this surely eliminates any network issues.



These are my NFS exports, which are visible both locally and remotely with 
"showmount -e":-



[root@server ~]# exportfs -av

exporting gss/krb5:/home

exporting gss/krb5i:/home

exporting gss/krb5p:/home



The command "mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home 
/mnt/test_mnt" hangs indefinitely. However without the Kerberos export options 
the NFS share can be mounted both locally and remotely without problem.



I read in a post that the "serializing key with enctype 18 and size 32" entry 
in syslog means I am trying to use an unsupported key with AES256 encryption (I 
can find very little about enctype numbers though); however I appear to have an 
AES256 service principal:



[root@server etc]# ktutil

ktutil: rkt /etc/krb5.keytab

ktutil: list -e

slot KVNO Principal

  -

1 2 host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96)

2 2 host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96)

3 2 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1)

4 2 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac)

5 5 nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96)



My versions are:

Fedora 17 (kernel 3.8.13-100.fc17.x86_64)

FreeIPA 2.2.2

krb5 1.10.2

nfs-utils 1.2.6

I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; 
however that is not possible due to conflict with systemd. Everything else 
appears to work OK e.g. domain login, automap etc. When I try to mount the 
Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log



Here is my syslog output when attempt the mount:



Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 
0x7fffe59b94f0 data 0x7fffe59b93c0

Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 
enctypes=18,17,16,23,3,1,2 '

Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt48)

Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is ''

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 
'server.wasielewski.co.uk' is 'server.wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for 
SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 
'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK'

Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for 
root/server.wasielewski.co...@wasielewski.co.uk while getting keytab entry for 
'root/server.wasielewski.co...@wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 
'nfs/server.wasielewski.co...@wasielewski.co.uk'

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035

Jul 12 01:13:10 server rpc.gssd[31628]: using 
FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine 
creds

Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK

Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 
(save_uid 0)

Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server 
server.wasielewski.co.uk

Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port already set to 2049

Jul 12 01:13:10 server rpc.gssd[31628]: creating context with server 
n...@server.wasielewski.co.uk

Jul 12 01:13:10 server rpc.svcgssd[32135]: leaving poll

Jul 12 01:13:10 server rpc.svcgssd[32135]: handling null request

Jul 12 01:13:10 server rpc.svcgssd[32135]: svcgssd_limit_krb5_enctypes: Calling 
gss_set_allowable_enctypes with 7 enctypes from the kernel

Jul 12 01:13:10 server rpc.svcgssd[32135]

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

Re: [Freeipa-users] Problem with Kerberised NFS mount

17 matches

Site Navigation

Mail list logo

Footer information